Following on from my previous post on triggers, I had made a mental note to make sure I did a post about a DDL trigger I use. As a DBA I am a gatekeeper to the companies SQL Server estate, I would love to say that every instance is locked down tighter than Fort Knox but this is not true. The reality is that there are inevitably permissions nested that give a level of access that exceeds what the person actually requires to fulfill their role. Sure I could just cart blanch everything I deem as being excessive and go on a REVOKE spree, but there would be a whole host of political repercussions as a result. Rightly or Wrongly, the cold harsh reality is that some of these permissions will remain.As a safety net I use a DDL Trigger in every single production database to notify me if someone has abused the privilege of having elevated permission. It is worth highlighting that while I was creating the script used in this post I ran into the 2000 line limit of the undocumented sp_msforeachdb stored procedure and was just about to revert to using a while loop when @sqlchicken pointed out I should look at using an improved version created by @AaronBertrand. You can find the sp_foreachdb procedure here. It is so much more flexible than the original Microsoft system procedure and one that I have now rolled out to our SQL Estate. I will also be going back and updating all the routines I have that use sp_msforeachdb and replacing them with sp_foreachdb.The below script will create a DDL Trigger trgDDLTableModification in every user database which will fire for the below statements;ALTER_TABLECREATE_TRIGGERALTER_TRIGGERDROP_TRIGGERYou will need to change the below two lines accordingly@profile_name= 'DBA',@recipients = 'Chris@SQLServer365.com',

/*

-----------------------------------------------------------------

DDL Trigger

-----------------------------------------------------------------

For more SQL resources, check out SQLServer365.blogspot.com

-----------------------------------------------------------------

You may alter this code for your own purposes.

You may republish altered code as long as you give due credit.

You must obtain prior permission before blogging this code.

THIS CODE AND INFORMATION ARE PROVIDED "AS IS"

-----------------------------------------------------------------

*/

-- Set database context

USEmaster;

GO

-- Drop trigger in all user databases

EXECsp_foreachdb

@command ='USE ?;

IF EXISTS (SELECT 1 FROM sys.triggers WHERE parent_class_desc = ''DATABASE'' AND name = ''trgDDLTableModification'')

I have used the @print_command_only = 1 for both the drop and create statements for consistency because 'CREATE TRIGGER' must be the first statement in a query batch, so the second execution of sp_foreachdb would fail otherwise. All you need to do once run is copy the results from the messages window paste them in a new query window and execute.Enjoy!Chris